Generate CSR and store new certificate

[tadejg]

Is it possible to use the stored private key to generate a CSR and store a newly signed certificate in the esp_secure_cert partition?

[AdityaHPatwardhan]

Hi @tadejg,
Yes it is possible to store the newly signed certificate in the esp_secure_cert partition. It can be done externally through the python script. The newly signed certificate can be provided as the device certificate to the script.

python configure_esp_secure_cert.py --device-cert newly_signed_certificate.pem

[tadejg]

@AdityaHPatwardhan Yes, I know you can use the python script. Maybe I wasn't specific enough in my initial question. I want the device to be able to renew its certificate while deployed in the wild. So I'm looking for a way to do this on the device, in firmware.

[AdityaHPatwardhan]

Ah, okay.
As of now we have not supported the ability to write into the esp_secure_cert partition.
But internal discussion is ongoing about this.
I will update about this.

[tadejg]

Understood, thanks. In that case, should I leave the issue open?

[zafeer-birde]

@AdityaHPatwardhan any update on this ?

[AdityaHPatwardhan]

Hi @tadejg @zafeer-birde We have started development for this feature, this should be available in a few days.

[zafeer-birde]

@AdityaHPatwardhan to confirm is this complete now ?
Do we have an example to try this out ?

[AdityaHPatwardhan]

Hi @zafeer-birde Sorry, this is still in progress. Should be converged by end of the week or mid next week.
Sorry for the delay.

[zafeer-birde]

Hi @zafeer-birde Sorry, this is still in progress. Should be converged by end of the week or mid next week. Sorry for the delay.

@AdityaHPatwardhan any update ?

[AdityaHPatwardhan]

Hi @zafeer-birde The MR is in the review stage, should be merged by next week.
Sorry for the delay

[zafeer-birde]

@AdityaHPatwardhan can we have some definite timelines for this ? We are waiting to implement a feature on certs regeneration which is currently blocked.

[AdityaHPatwardhan]

Hi @zafeer-birde I am sharing this patch with you, It contains the support for appending to the esp_secure_cert partition. please check if it solves your blocker.
support_writing.patch.zip

Additionally, I wanted to understand the reason for this to be a blocker. There are other secure storage implementations as well, were they not suitable for your application ? ( e.g. NVS).

[jimmyw]

@AdityaHPatwardhan Do you know if its possible to generate a CSR in runtime, that is signed with the private key in DS store that i can send to a server for signing?

The example code you wrote, is to write down that cert you get back.

I have looked at MBEDTLS code, and the code path for generating a CSR is bound to having a private key in a pem file you store, and not to access it from DS storage. Dont think there should be any limitations on that, just think its not supported yet, or at least that i know of.

The use case for this, is to allow sign a new certificate from a new service with a the key stored in the ESP in factory not replacing the device key.

[AdityaHPatwardhan]

@jimmyw I see no reason for it to be prohibited for generating a CSR at runtime using the DS peripheral.
Technically the private key is only required to sign the TBS content of the CSR. The DS peripheral supports the signing operation through the key, so it should be supported.

If it helps your to fix your issue, I would like to suggest following

1. Have you tried generating a pk context for the private key with mbedtls_pk_setup_rsa_alt API ? ( we do similar in the esp-tls component when we are using RSA key from the DS instead of plaintext key (https://github.com/espressif/esp-idf/blob/b4268c874a4cf8fcf7c0c4153cffb76ad2ddda4e/components/esp-tls/esp_tls_mbedtls.c#L1093).
   I think it should be possible to provide this pk context for the key to the CSR generation API.

If the above suggestion does not help, I think it is better to take this discussion to https://github.com/Mbed-TLS/mbedtls/issues which is the appropriate place for mbedTLS specific questions.